Features • Configuration Roles • Bootstrap Images • Bespoke CLI • Architecture • Related Flakes
slightly overengineered dendritic NixOS configuration flake for multiple
hosts
Why do I not use some popular libraries?
Nix-specific features:
- Completely reproducible, pure evaluation
- Role-based outputs with features as dendritic modules
- Variables system for device-specific configuration
- Bespoke CLI for maintaining this flake
- Flake-enabled bootstrap images
- Dotfiles managed using wrappers implemented from basic nixpkgs functions
- Impermanence using ZFS snapshots and bind mounts, without the library.
- Secrets managed using sops-nix
- Secure boot using lanzaboote
- Package management using lix
Desktop features:
- 100% wayland, no xorg or xwayland
- SwayFX compositor
- Waybar top panel with several useful modules
- Eww widgets for bottom dock, dashboard, calendar, etc
- Rofi menu for launchers, clipboard history, workspace switchers, etc
- Brave browser with tight policies to ensure security and protect user privacy
- Sandboxing with Bubblewrap and xdg-dbus-proxy.
- NVF-powered neovim configuration
- Theming and colors with colors
- Declarative browser homepage with homepage
- Declarative wallpapers with wallpapers
- XKCD lockscreen wallpapers with xkcd-wall
- Automatic behavior changes when outside trusted & reliable networks with Roaming Mode
Services features:
- Unbound dns server
- NGINX web server & reverse proxy
- ACME for Let's Encrypt certificates
- SearXNG search engine
- Vaultwarden password manager
- i2pd I2P router
- Jellyfin media server
Click to expand: Comprehensive features list
| Category | Stack |
|---|---|
| distro | NixOS |
| packages | nixos-unstable |
| package manager | lix |
| kernel | linux |
| shell | bash |
| entropy | jitterentropy |
| malloc | graphene-hardened |
| bootloader | systemd-boot, uboot |
| secure boot | lanzaboote |
| filesystem | zfs |
| impermanence | zfs(8) mount(8) |
| drive health | smartmontools |
| dotfiles | nixpkgs wrappers |
| ~ symlinks | systemd-tmpfiles |
| auditing | auditd |
| secrets | sops, sops-nix |
| keys | age, signify, gpg |
| usb policy | usbguard |
| sandboxing | bubblewrap, xdg-dbus-proxy |
| firewall | nf_tables |
| mac randomization | macchanger |
| anonymity | i2pd |
| networking | wpa_supplicant |
| dns | unbound |
| secure shell | sshd, fail2ban |
| display server | wayland |
| compositor | swayfx, cage |
| bar | waybar |
| widgets | eww |
| launcher | rofi |
| notifications | dunst |
| terminal emulator | foot |
| file manager | thunar |
| audio | pipewire, pavucontrol, playerctl |
| media player | mpv |
| pdf reader | zathura |
| images | swayimg, imagemagick |
| vector graphics editor | inkscape |
| screenshots | grimshot, grim, slurp |
| clipboard | cliphist |
| browser | brave |
| web server | nginx |
| certificates | acme |
| homepage | homepage |
| search engine | searxng |
| media server | jellyfin |
| bittorrent | qbittorrent-nox |
| passwords | vaultwarden |
| text editor | neovim, mousepad |
| version control | git |
| development | rust, python, go, haskell |
| virtualization | qemu, virt-manager, distrobox, podman |
| cpu optimizations | auto-cpufreq |
| resource monitor | btop, htop |
| themes, icons, cursors, fonts | colors |
| wallpapers | wallpapers, xkcd-wall |
| terminal misc | cava, fortune |
This flake uses role-based configuration.
| Role | Description | Documentation |
|---|---|---|
| Laptop | Configuration for my laptops. | Requirements - Setup - Usage |
| Server | Configuration for my home-servers. | Requirements - Setup - Usage |
Some previous roles have been moved to separate repos, see Related Flakes.
Three images: GNOME, Minimal and SD are included (for installation, recovery, etc.)
These images provide a preconfigured environment for setting up this flake, and include useful tools for installation, recovery, etc.
It is also possible to further configure these images for specific installation setups. Modules for remote installation over a wireless network are also provided.
See Images Documentation for more details.
Routine tasks such as updating the flake, switching configurations,
garbage-collecting, and editing variables & secrets are handled through the
bespoke unified nixos(1) wrapper CLI.
Manpage:
man nixosSee CLI Documentation for the full command reference and workflow examples.
./modules/are low-level dendritic features, which are exposed undernixosModules.modules.*../profiles/are high-level collections of modules, which are exposed undernixosModules.profiles.*../roles/are the final outputs provided by this flake, each role is a full system configuration composed of several profiles/modules.- Variables capture the differences between multiple instances of the same role. Variables are not provided in this flake and are defined on a per-deployment basis.
Here are some of my other flakes that are related to my NixOS tooling:
- neovim, Neovim configuration flake (ft. nvf)
- neovim-nixvim, Neovim configuration flake (ft. nixvim)
- colors, Colorscheme flake
- wallpapers, Expose wallpapers as Nix expressions
- homepage, A pure Nix static homepage generator
- droid, nix-on-droid configuration
- pattern, Atomic, image-based systems with A/B updates, provisioned using Nix
- flag, A pattern for my VMs
- nate, MATE desktop for my NixOS needs
- coffee, A very minimal openbox configuration
Some of these repos were previously part of this repo, but separated due to being out-of-scope (eg, pattern).
Others are still in-scope, but are maintained separately for simplicity (eg, wallpapers).